Databases
StackOverflow2013
Postsdbo
POPlain English explanation for usage of OAuth in conjunction to an internal user management
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POPlain English explanation for usage of OAuth in conjunction to an internal user management
    text
    copied!<p>I'm new to OAuth, and although I have scanned through many documents, I don't seem to have yet a good architecture / design to a secure web application, answering most/all of OWASP Top Ten</p> <p>My newbie questions are </p> <ul> <li>Why can't I just rely purely on OAuth? why do a user needs credential in my own application?</li> <li>If I do, do I need hash / salt anything if I save it? I don't store any passwords, but what about tokens?</li> <li>I still need to persist the users so they won't login everytime, (like in OS) - do I <ul> <li>Somehow use the OAuth token (save it? does it make even sense)?</li> <li>Or use the plain old httpOnly secure cookie (if so, what happens if they log out of the Oauth provider? shouldn't I in this case ignore my cookie and let them log out?</li> </ul></li> <li>How do I implement logging out? I can't force them to log out of the OAuth provider, and if I only delete the httpOnly cookie / invalidate their session locally, is that enough? and security issues?</li> <li>How do I implement single sign on? I don't want the user, after approving to click again "log in using Facebook / Twitter / Google" I want an effect similiar to SO (page refreshes and "welcomes you back" what are the best practices to do that? Why does SO refreshes the page (I assume it has to do with the fact it needs to be client side, but I don't fully understand how it works to even know what to ask)</li> </ul> <p>I guess I have a lot to learn, but reading on so many potential security issues, and having to master so many different topics seems like a good potential for me missing something that someone later will exploit. </p> <p>Is using a framework such as Spring Security, or using Lift's built in user management going to save me all this headache? or do I have to know exactly what I am doing to avoid things like Session Fixation, Cross Site Request Forgery, Cross site scripting, Rainbow tables and other things I only remotely get...</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload